Abstract: In accordance with embodiments of the present disclosure, an information handling system may include a processor and a program of instructions embodied in computer-readable media and configured to, when read and executed by the processor: responsive to administrator input associated with the information handling system or a second information handling system managed by the information handling system, set user permissions for one or more users with respect to basic input/output system (BIOS) settings of the information handling system or the second information handling system; and in accordance with the user permissions, create keys for securing BIOS settings of the information handling system or the second information handling system.

Abstract: In a system of networked IHSs (Information Handling Systems) supporting the use of roaming biometric profiles, an individual may utilize biometric authentication for gaining access to various IHSs within the system. An IHS configured to support roaming biometric authentication includes biometric sensors that support secure transmission and management of biometric prints collected by such sensors. Such biometric sensors may interoperate with a secure processing component of the IHS in order to prevent transmission and storage of unprotected biometric prints, while still supporting roaming biometric authentication. The biometric sensor utilizes an encryption key for encoding biometric prints where the key is selected based on a group affiliation of the individual, thus protecting biometric prints from other groups that use roaming biometric authentication while sharing the same network of IHSs.

Abstract: Systems and methods for tamper-proof detection triggering of automatic lockdown using a recoverable encryption mechanism issued from a secure escrow service. In an illustrative, non-limiting embodiment, an Information Handling System (IHS) may include: a processor; a secure storage device coupled to the processor, wherein the secure storage device comprises a container encrypted with a derived container key; and a memory coupled to the processor, the memory including program instructions stored thereon that, upon execution, cause the IHS to: receive a digital certificate from a remote server, wherein the digital certificate includes a public key and, in response to a detection of a tampering event, encrypt the derived container key using the public key.

Abstract: A user or a provider of an IHS (Information Handling System) may prefer to disable, on a temporary or permanent basis, hardware components of the IHS. For instance, a user may prefer to prevent all microphone inputs through disabling of the microphone device of the IHS. Disabling hardware components via the operating system of IHS is cumbersome, especially for temporary hardware configurations. Embodiments provide the capability for securely managing certain hardware components of an IHS without reliance on the operating system of an IHS, while providing assurances that a hardware component is actually disabled. Embodiments assure disabling of a hardware component by providing the ability to terminate power to the component, where the power is terminated based on commands transmitted by a trusted resource via an out-of-band signal pathway to the hardware component.

Abstract: In some examples, a target device determines that each device of a plurality of devices (i) includes a certificate that is provided to each device during provisioning, (ii) is within a predetermined distance from the target device, (iii) includes a beacon secret that is broadcast to each device at a predetermined time interval, and (iv) that either: (a) a privilege level associated with at least one device of the plurality of devices satisfies a particular privilege level specified by an access policy or (b) a number of the plurality devices with the determined distance from the target device satisfies a predetermined number specified by the access policy. The target device grants at least one device of the plurality of devices access to the target device, and receives a message from the at least one device. The target device initiates an action based at least in part on the message.

Abstract: A display information protection system includes a management system that stores a plurality of display information protection policies and that may provide any of the display information protection policies through a network. An endpoint device is coupled to the management system through the network and stores a display information protection policy that may have been automatically populated or received from the management system. The endpoint device displays a plurality of information and may determine that a first subset of the plurality of information that has been provided for display is defined by the display information protection policy. In response to detecting the first display information protection event and determining that the first subset of a plurality of information is defined by the display information protection policy, the endpoint device obfuscates the display of the first subset of the plurality of information on the endpoint device.

Abstract: Systems and methods are provided that that may be implemented to track software developer code contributions and their respective revisions. In one exemplary implementation, a distributed ledger may be utilized to track software developer code contributions and their respective revisions. Each code contribution digest, code digest ID, developer public key and previous blockchain block may be compiled for a new block in the blockchain, and the compilation may first be hashed and signed by the private key of the developer. Each developer may have his/her own blockchain that resides within a code repository site and which may also be cached locally on the end user device and used to verify the integrity of the code contribution (e.g., application/service/executable) at the time it is installed on the end user device.

Abstract: A mobile device that includes an ownership token application program receives user input indicative of a first authentication factor associated with an ownership token bound to an Internet of Things (IoT) device. Responsive to detecting the IoT device in close proximity, the mobile device may obtain a second authentication factor and an IoT device identifier from the IoT device. The mobile device may then provide the obtained factors as authenticating credentials to a token server via a trust application program interface (API). After the server authenticates the mobile device, the server may send the token to the mobile device thereby transferring ownership rights, including access rights, to recipient. The application program and/or the trust API may be configured for one-time access wherein, after the token has been transferred to the mobile device. The discrete electronic device may comprise an Internet of Things (IoT device) that supports wireless, near field communication.

Abstract: In some examples, a target device may store a policy that includes one or more conditions. For example, a condition of the policy may specify that each device of the multiple devices have a certificate that was deployed to each device when each device was provisioned. A condition of the policy may specify that each device of the multiple devices be within a predetermined distance (or within a particular distance range) from the target device. A condition of the policy may specify that each device of the plurality of devices have a beacon secret that is periodically broadcast out-of-band by a local beacon. While the conditions of the policy are satisfied, the target device may grant the multiple devices access to the target device. If the target device determines that the conditions of the policy are no longer being satisfied, the target device may deny (or reduce) access.

Abstract: Systems and methods are provided that that may be implemented to track software developer code contributions and their respective revisions. In one exemplary implementation, a distributed ledger may be utilized to track software developer code contributions and their respective revisions. Each code contribution digest, code digest ID, developer public key and previous blockchain block may be compiled for a new block in the blockchain, and the compilation may first be hashed and signed by the private key of the developer. Each developer may have his/her own blockchain that resides within a code repository site and which may also be cached locally on the end user device and used to verify the integrity of the code contribution (e.g., application/service/executable) at the time it is installed on the end user device.

Abstract: A method and an information handling system for security management across a plurality of diverse execution environments. The method includes associating, based on a distributed computing framework, a secure execution environment interface with each diverse execution environment. The method includes receiving a general access policy to access at least one secure memory region associated with a respective one of the diverse execution environments. In response to a request to access a memory region associated with at least one diverse execution environment, the method includes prompting for entry of security credentials. In response to receiving and verifying the security credentials, the method establishes access to the secure memory region of the respective diverse execution environment. The method includes executing a subroutine to modify at least a subset of the secure memory region, and the method includes returning a result to a distributed application via the secure execution environment interface.

Abstract: A display information protection system includes a management system that stores a plurality of display information protection policies and that may provide any of the display information protection policies through a network. An endpoint device is coupled to the management system through the network and stores a display information protection policy that may have been automatically populated or received from the management system. The endpoint device displays a plurality of information and may determine that a first subset of the plurality of information that has been provided for display is defined by the display information protection policy. In response to detecting the first display information protection event and determining that the first subset of a plurality of information is defined by the display information protection policy, the endpoint device obfuscates the display of the first subset of the plurality of information on the endpoint device.

Abstract: An authentication system for providing shared credential authentication includes a client information handling (IHS) system having a resource service application, and a mobile IHS having a shared authentication application. The shared authentication token indicates that an authenticated state between the client IHS and the mobile IHS exists. The resource service application receives a request to access the resource, and sends an authentication request to an authentication server to authorize access to the resource. The shared authentication application receives a query from the authentication server to verify a status of a shared authentication token, and, when the shared authentication token is valid, responds to the query that the shared authentication token is valid. The resource service application further receives a response to the authentication request, and grants access to the resource when the authentication token indicates that the shared authentication token is valid.

Abstract: An authentication agent for an information handling system includes a request module, a threshold table, and a comparison module. The request module receives a first request to access a secure resource of the information handling system, determines a first access level associated with the first request, and requests first confidence level information from the information handling system. The threshold table includes a first confidence threshold associated with the first access level. The comparison module compares the first confidence level information with the first confidence threshold. The authentication agent grants access to the secure resource at the first access level when the first confidence level information is greater than the first confidence threshold.

Abstract: In an example of a system and method for time-based local authentication, an Information Handling System (IHS) may include a processor and a memory coupled to the processor. The memory may have program instructions stored thereon that, upon execution, cause the IHS to generate a first time token and to transmit the first time token to a secondary IHS via a local network, where the secondary IHS is configured to generate a second time token and to transmit the second time token to the IHS via the local network. The IHS may receive the second time token from the secondary IHS and it may determine whether the first time token matches the second time token. In response to the first time token matching the second time token, the IHS may receive access to a protected resource.

Abstract: In accordance with embodiments of the present disclosure, an information handling system may include a processor and a program of instructions embodied in computer-readable media and configured to, when read and executed by the processor: responsive to administrator input associated with the information handling system or a second information handling system managed by the information handling system, set user permissions for one or more users with respect to basic input/output system (BIOS) settings of the information handling system or the second information handling system; and in accordance with the user permissions, create keys for securing BIOS settings of the information handling system or the second information handling system.

Abstract: An authentication engine for an information handling system includes an event engine that receives authentication information from a plurality of input devices of the information handling system and classifies the authentication information from each input device into a plurality of events, and provides confidence score metadata based upon the authentication information, a confidence module that generates a confidence score based upon the events, and a threshold table that receives the confidence score and determines an authentication state of the information handling system based upon the confidence score.

Abstract: In some examples, a computing device may receive (i) settings associated with one or more features of a basic input output system (BIOS) of the computing device and (ii) a device identifier that uniquely identifies the computing device. The computing device may determine a policy identifier that identifies a policy being implemented by the settings associated with the one or more features of the BIOS. The computing device may retrieve a public key associated with an organization that acquired the computing device and sending a request to a service to validate the policy. The request may include the policy identifier and the public key. After the computing device receives a response from the service indicating that the policy is valid, the computing device may initiate a reboot and modify, during the reboot, the one or more features of the BIOS of the computing device based on the settings.

Abstract: A document management system includes a memory for storing machine-readable code and a processor configured to execute the machine-readable code. The processor stores a first document, a first hash of the first document, and a first key in the memory. The first document is encrypted with the first key. The processor further receives a request for the first key. The request includes a second hash of a second document where the second document is purported to be a copy of the first document. The processor further compares the first hash to the second hash and sends the first key in response to the request when the first hash matches the second hash.

Abstract: A secured container provides access to enterprise data while isolated from the operating system of an Information Handling System (IHS). The secured container remains secured during its delivery and deployment. A secured container is configured to provide a user of the IHS with access to enterprise data. The secured container is encrypted using a symmetrical key that is transmitted to a secured storage that is isolated from the operating system of the IHS via out-of-band communications. The encrypted secured container is digitally signed using an asymmetric key pair. The digital signature and the encrypted secured container are transmitted to the IHS via in-band communications. At the IHS, the public key of the asymmetric key pair is used to validate the digital signature and the private symmetric key is retrieved from secured storage to decrypt the secured container. Additional embodiments provide a technique for securely migrating a secured container between IHSs.